Ensure EKS Node Group IAM role do not have administrator privileges

Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions

Risk Level: Low
Cloud Entity: IAM Role
CloudGuard Rule ID: D9.AWS.IAM.97
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

IamRole where combinedPolicies with [ policyDocument with [ Statement with [ Principal.Service ='eks.amazonaws.com' ] ] ] should not have document.Statement contain[ Effect='Allow' and Action='*' ]

REMEDIATION

From Portal

  1. Go to 'IAM'
  2. In the menu, under 'Access management', choose 'Roles'
  3. For each incompliant Roles:
  4. Click on the incompliant Role name
  5. Under 'Permissions', select the policy that provides full access
  6. Click 'Remove'

From Command Line
To remove the specified managed policy from a specified IAM Role, run:

aws iam detach-role-policy --role-name ROLE-NAME --policy-arn POLICY-ARN

References

  1. https://docs.aws.amazon.com/cli/latest/reference/iam/detach-role-policy.html
  2. https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html

IAM Role

An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials (password or access keys) associated with it. Instead, if a user assumes a role, temporary security credentials are created dynamically and provided to the user.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset